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~ The MAILING DATE of this communication appears on the cover sheet with the correspondence address- 

All claims being allowable, PROSECUTION ON THE MERITS IS (OR REMAINS) CLOSED in this application. If not included 
herewith (or previously mailed), a Notice of Allowance (PTOL-85) or other appropriate communication will be mailed in due course. THIS 
NOTICE OF ALLOWABILITY IS NOT A GRANT OF PATENT RIGHTS. This application is subject to withdrawal from issue at the initiative 
of the Office or upon petition by the applicant. See 37 CFR 1.313 and MPEP 1 308. 

1 . K| This communication is responsive to the amendment filed 09/22/2008 . 

2. The allowed claim(s) is/are 57-68,72-77,81-86 and 90-98 . 

3. □ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a) DAN b)DSome* c) □ None of the: 

1. D Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. O Copies of the certified copies of the priority documents have been received in this national stage application from the 

International Bureau (PCT Rule 17.2(a)). 
* Certified copies not received: . 

Applicant has THREE MONTHS FROM THE "MAILING DATE" of this communication to file a reply complying with the requirements 
noted below. Failure to timely comply will result in ABANDONMENT of this application. 
THIS THREE-MONTH PERIOD IS NOT EXTENDABLE. 

4. □ A SUBSTITUTE OATH OR DECLARATION must be submitted. Note the attached EXAMINER'S AMENDMENT or NOTICE OF 

INFORMAL PATENT APPLICATION (PTO-152) which gives reason(s) why the oath or declaration is deficient. 

5. □ CORRECTED DRAWINGS ( as "replacement sheets") must be submitted. 

(a) □ including changes required by the Notice of Draftsperson's Patent Drawing Review ( PTO-948) attached 

1) □ hereto or 2) □ to Paper No./Mail Date . 

(b) □ including changes required by the attached Examiner's Amendment / Comment or in the Office action of 

Paper No./Mail Date . 

Identifying indicia such as the application number (see 37 CFR 1.84(c)) should be written on the drawings in the front (not the back) of 
each sheet. Replacement sheet(s) should be labeled as such in the header according to 37 CFR 1.121(d). 

6. □ DEPOSIT OF and/or INFORMATION about the deposit of BIOLOGICAL MATERIAL must be submitted. Note the 

attached Examiner's comment regarding REQUIREMENT FOR THE DEPOSIT OF BIOLOGICAL MATERIAL. 
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1 . □ Notice of References Cited (PTO-892) 

2. □ Notice of Draftperson's Patent Drawing Review (PTO-948) 

3. S Information Disclosure Statements (PTO/SB/08), 

Paper No./Mail Date 9/22/08. 10/29/08. 11/07/2008 

4. □ Examiner's Comment Regarding Requirement for Deposit 

of Biological Material 



5. Q Notice of Informal Patent Application 

6. □ Interview Summary (PTO-413), 

Paper No./Mail Date . 

7. O Examiner's Amendment/Comment 

8. £3 Examiner's Statement of Reasons for Allowance 

9. □ Other . 
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DETAILED ACTION 

1 . Claims 57-68, 72-77, 81-86 and 90-98 are pending. 

2. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1 .17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1 .17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 
09/22/2008 has been entered. 



EXAMINER'S AMENDMENT 

3. An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1 .312. To ensure consideration of such an amendment, it MUST be 
submitted no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with Ted Liu on 10/29/2008. 

The application has been amended as follows: 
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Please amend Claims 57, 63, 72, and 81, and cancel Claim 97, all as shown below. 
Applicant respectfully reserves the right to prosecute any originally presented or canceled 
claims in a continuing or future application. This listing of claims will replace all prior versions, 
and listings, of claims in the application. 

Listing of Claims 

1-56. (Canceled) 

57. (Currently Amended) A system for maintaining security in a distributed computing 
environment, comprising: 

an application guard located at a client to manage access by individual 
transactions to securable components at a client level as specified by a local security 
policy, the securable components including at least one application wherein said 
application guard is integrated into said application and controls access to the 
application with which the application guard is integrated; 

a policy manager stored on one or more nonvolatile memories located on a 
server to: 

create a local security policy derived from a global security policy, said 
global security policy including a plurality of rules applicable to all application 
guards in the system, wherein creating the local security policy includes 
determining which of the plurality of rules of the global security policy are 
applicable to a particular application guard such that the local security policy 
contains a fewer number of rules than said global security policy; and 

distribute the local security policy to said client wherein the local security 
policy includes the rules customized to the application guard, said rules including 
a set of grant rules that allow access to securable components and a set of deny 
rules that prevent access to said securable components; and 
an app li cat i on guard l ocat e d at th e c lie nt to manag e acc e ss by i nd i v i dua l transact i ons to 
s e curab le compon e nts at a c lie nt le v el as sp e c i f ie d by th e l oca l s e cur i ty po li cy, th e s e curab le 
compon e nts i nc l ud i ng at le ast on e app li cat i on wh e r ei n sa i d app li cat i on guard i s i nt e grat e d i nto 
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sa i d app li cat i on and contro l s acc e ss to th e app li cat i on w i th wh i ch th e app li cat i on guard i s 
i nt e grat e d; 

wherein the application guard receives an authorization request including a subject, an 
object and a privilege and evaluates said request by matching the rules received from the policy 
manager to said subject, said object and said privilege in order to control access to said 
application integrated with the application guard , and 
wherein the policy manager further 

receives a modification on an existing global security policy; 
computes any differences caused by the modification on the global security 
policy; and 

commits only the changed portion of the global security policy to an appropriate 
application guard . 

58. (Previously presented) The system of Claim 57 wherein said securable components 
further include a function within the application as specified by the security policy. 

59. (Previously Presented) The system of Claim 57 including a procedure within the 
application as specified by the security policy. 

60. (Previously Presented) The system of Claim 57 including a data structure within the 
application as specified by the security policy. 

61. (Previously Presented) The system of Claim 57 including a database object referenced 
by the application as specified by the security policy. 

62. (Previously Presented) The system of Claim 57 including a file system object referenced 
by the application as specified by the security policy. 

63. (Currently Amended) A method for maintaining security in a distributed computing 
environment, comprising: 

receiving a global security policy that includes a plurality of rules for regulating access to 
securable components in the system, the securable components including at least one 
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application wherein said rules of the global security policy apply to all application guards in the 
distributed computing environment; 

creating a local security policy via a policy manager located on a server, the local 
security policy including a plurality of rules customized to a client wherein creating the local 
security policy includes customizing the local security policy by determining which of the rules 
from the global security policy are applicable to a specific application guard located on the client 
such that the local security policy contains a fewer number of rules than said global security 
policy; 

distributing the local security policy to the client; [[and]] 

receiving an authorization request by the application guard, the authorization request 
including a subject, an object and a privilege wherein said application guard is integrated into 
said application and controls access to the application with which the application guard is 
integrated; 

managing access as specified by the local security policy via the application guard 
located at the client to securable components wherein managing access includes comparing 
the subject, object and privilege to the rules of the local security policy; 

receiving a modification on an existing global security policy; 

computing any differences caused by the modification on the global security policy; and 
committing only the changed portion of the global security policy to an appropriate 
application guard . 

64. (Previously Presented) The method of Claim 63 wherein the securable components 
include a function within the application as specified by the security policy. 

65. (Previously Presented) The method of Claim 63 including a procedure within the 
application as specified by the security policy. 

66. (Previously Presented) The method of Claim 63 including a data structure within the 
application as specified by the security policy. 

67. (Previously Presented) The method of Claim 63 including a database object referenced 
by the application as specified by the security policy. 
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68. (Previously Presented) The method of Claim 63 including a file system object referenced 
by the application as specified by the security policy. 

69-71. (Canceled). 

72. (Currently Amended) A method for maintaining security in a distributed computing 
environment, comprising the steps of: 

receiving a global security policy that includes a plurality of rules for regulating access to 
securable components in the system, the securable components including at least one 
application wherein said rules of the global security policy apply to all application guards in the 
distributed computing environment; 

providing a policy manager located on a server to create a local security policy including 
a plurality of rules customized to a client wherein creating the local security policy includes 
customizing the local security policy by determining which of the rules from the global security 
policy are applicable to a specific application guard located on the client such that the local 
security policy contains a fewer number of rules than said global security policy; 

distributing the local security policy to the client; 

providing an application guard located at the client to manage access to securable 
components at a client level as specified by the local security policy, said application guard 
being integrated into said application and controlling access to the application with which the 
application guard is integrated; 

receiving an authorization request by the application guard, said authorization request 
including a subject, an object and a privilege; and 

controlling access to the securable components by matching the subject, object and 
privilege to the rules of the local security policy by the application guard; 

receiving a modification on an existing global security policy; 

computing any differences caused by the modification on the global security policy; and 
committing only the changed portion of the global security policy to an appropriate 
application guard . 
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73. (Previously presented) The method of Claim 72 wherein the securable components 
include a function within the application as specified by the security policy. 

74. (Previously Presented) The method of Claim 72 including a procedure within the 
application as specified by the security policy. 

75. (Previously Presented) The method of Claim 72 including a data structure within the 
application as specified by the security policy. 

76. (Previously Presented) The method of Claim 72 including a database object referenced 
by the application as specified by the security policy. 

77. (Previously Presented) The method of Claim 72 including a file system object referenced 
by the application as specified by the security policy. 

78-80. (Canceled). 

81. (Currently Amended) A computer readable storage medium having stored thereon a set 
of instructions to execute a method for maintaining security in a distributed computing 
environment comprising the steps of: 

receiving a global security policy that includes a plurality of rules for regulating access to 
securable components in the system, the securable components including at least one 
application wherein said rules of the global security policy apply to all application guards in the 
distributed computing environment; 

creating a local security policy via a policy manager located on a server, the local 
security policy including a plurality of rules customized to a client wherein creating the local 
security policy includes customizing the local security policy by determining which of the rules 
from the global security policy are applicable to an application guard located on the client such 
that the local security policy contains a fewer number of rules than said global security policy; 

distributing the local security policy to the client; [[and]] 
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receiving an access request by the application guard, said access request including a 
subject, an object and a privilege wherein said application guard is integrated into said 
application and controls access to the application with which the application guard is integrated; 

matching the access request to at least one rule selected from the rules of the local 
security policy in order to manage access as specified by the local security policy via the 
application guard located at the client to securable components; 

receiving a modification on an existing global security policy; 

computing any differences caused by the modification on the global security policy; and 
committing only the changed portion of the global security policy to an appropriate 
application guard . 

82. (Previously Presented) The computer readable storage medium of Claim 81 wherein the 
securable components include a function within the application as specified by the security 
policy. 

83. (Previously Presented) The computer readable storage medium of Claim 81 including a 
procedure within the application as specified by the security policy. 

84. (Previously Presented) The computer readable storage medium of Claim 81 including a 
data structure within the application as specified by the security policy. 

85. (Previously Presented) The computer readable storage medium of Claim 81 including a 
database object referenced by the application as specified by the security policy. 

86. (Previously Presented) The computer readable storage medium of Claim 81 including a 
file system object referenced by the application as specified by the security policy. 

87-89. (Canceled). 

90. (Previously Presented) The system of claim 57, wherein the application guard further 
allows for additional customized code to process and evaluate authorization requests based on 
the additional customized code. 
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91. (Previously presented) The system of claim 90, wherein the global policy specifies 
access privileges of a user to securable components. 

92. (Previously presented) The method of claim 72, wherein the application guard further 
allows for additional customized code to process and evaluate authorization requests based on 
the additional customized code. 

93. (Previously presented) The method of claim 92, wherein the global policy specifies 
access privileges of a user to securable components. 

94. (Previously presented) The computer readable storage medium of claim 81, wherein the 
application guard further allows for additional customized code to process and evaluate 
authorization requests based on the additional customized code. 

95. (Previously presented) The computer readable storage medium of claim 94, wherein the 
global policy specifies access privileges of a user to securable components. 

96. (Previously presented) The system of Claim 57 wherein said policy manager is further 
capable of optimizing said global security policy into an optimized form, wherein the 
optimized form only distributes attributes relevant to a specific application guard. 

97. (Canceled) 

98. (Previously presented) The system of Claim 57 wherein said application guard is further 
capable of being associated with plug-ins to allow for additional capabilities based on 
customized code. 
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Allowable Subject Matter 

4. Claims 57, 63, 72 and 81 are allowable. Claims 59-62, 64-68, 74-77 and 82-86, 
previously withdrawn from consideration as a result of a restriction requirement, require 
all the limitations of an allowable claim. Pursuant to the procedures set forth in MPEP § 
821 .04(a), the restriction requirement, as set forth in the Office action mailed on 
06/13/2005, is hereby withdrawn and claims 59-62, 64-68, 74-77 and 82-86 are 
hereby rejoined and fully examined for patentability under 37 CFR 1 .104. In view of the 
withdrawal of the restriction requirement, applicant(s) are advised that if any claim 
presented in a continuation or divisional application is anticipated by, or includes all the 
limitations of, a claim that is allowable in the present application, such claim may be 
subject to provisional statutory and/or nonstatutory double patenting rejections over the 
claims of the instant application. Once the restriction requirement is withdrawn, the 
provisions of 35 U.S.C. 121 are no longer applicable. See In re Ziegler, 443 F.2d 121 1 , 
1 21 5, 1 70 USPQ 1 29, 1 31 -32 (CCPA 1 971 ). See also MPEP § 804.01 . 

5. Claims 57-68, 72-77, 81-86 and 90-98 are allowed. 

6. The following is an examiner's statement of reasons for allowance: The prior art 
generally teaches modifying and implementing security policies based from a global 
security policy. However, the prior art fails to teach "receiving a modification on an 
existing global security policy; computing any differences caused by the modification on 
the global security policy; and committing only the changed portion of the global security 
policy to an appropriate application guard" in combination with the remaining claimed 
limitations. 
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Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 



Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to MICHAEL PYZOCHA whose telephone number is 
(571)272-3875. The examiner can normally be reached on Monday-Thursday, 7:00am - 
4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



/M. P.I 

Examiner, Art Unit 2437 
/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



